Personal interpretation of bitcoin white paper



First of all, Nakamoto pointed out in the abstract that what to establish is a decentralized P2P payment system, and does not introduce a third party to solve the problem of double payment. At the same time, it puts forward the solution ideas, and mentions the technical points such as timestamps and proof of work.

Let’s take a look at the text

brief introduction

At present, financial and trade on the Internet are all supported by trusted third parties, such as national mandatory institutions (banks), Super enterprises (Alipay, WeChat), etc., which is a “trust based model”. It is not that the current mode is not easy to use, but since credit is the basis, it is necessary to maintain credit continuously, and the cost is very huge.

So bitcoin came into being, it is no longer based on credit, but based on the principle of cryptography, so that virtual transactions can be agreed between the two sides, direct payment, without the participation of a third party.

As direct payment cannot be changed after confirmation, it is a kind of protection for the seller, while for the protection of the buyer, Nakamoto proposed that “it is easy and pleasant to set up a third-party guarantee mechanism in this environment”. In fact, the design of bitcoin system is unequal to both sides of the transaction. The balance is more inclined to the seller, just like shopping on Taobao. It eliminates the situation that buyers refuse to pay after they buy goods with poor reviews. But at the same time, because bitcoin transaction cannot be changed after confirmation, it also leads to the loophole that the buyer pays but the seller does not deliver goods.

This is another point that bitcoin gives us. Bitcoin network is actually an alternative centralized credit institution, which can not guarantee the credit of both sides of the transaction. At this time, the buyer and the seller can’t cancel the transaction because of the loss of credit of the buyer and the buyer.

After the transaction is successful, it can not be changed. In fact, it is conditional, which is commonly known as 51% attack. It is written in the original text that “the records formed will not be changed unless all the workload proofs are completed again”. Bitcoin adopts a complex workload proof mechanism. To change the transaction block, it needs to be recalculated from this block and all subsequent blocks, which requires a lot of calculation and is very time-consuming. Therefore, it is objectively an unchangeable purpose.

But imagine if the seller and the buyer reach an agreement, or according to the principle of “majority is justice”, most people agree to amend it? This is a real bitcoin flaw, and it leaves room for abuse. The outbreak of global blackmail virus, which is still fresh in our memory, has blackmailed a large number of bitcoin. In the eyes of the vast majority of people in the world, the unjust behavior can be magnificently exploited under the rules of bitcoin. However, we are unable to roll back its transaction, because the existence of bitcoin transaction cannot be changed objectively.


Transaction is the core and the most exquisite part of Nakamoto’s design, which makes people admire. First of all, I’d like to present the original picture of the white paper in English, not the popular Chinese translation on the Internet. The Chinese version is wrong and misled me for a long time.

Personal interpretation of bitcoin white paper

First, understand the definition of coin given in the white paper: “an electronic coin is such a string of digital signatures”. First of all, the concept of bitcoin is very complicated, that is, it is not the same as the real currency, but also different from the Q currency. Q coin can be understood as the token of entity currency circulating online, and it can also record the owner’s name, quantity and other information. In fact, bitcoin doesn’t record who owns and how much money they own, and there is no concept of account. All these are derived from transaction records.

For example, the recording method of Q currency is that a has 100 Q coins, B has 50 Q coins, a transfers 10 Q coins to B 10 Q coins, then a account has – 10 Q coins and B account has + 10 Q coins. This is a centralized operation mode, including banks. The record of bitcoin may be a “a to B10 bitcoin”. Countless such transaction records form a transaction chain, forming a decentralized, open and transparent public account book. If a wants to know how many bitcoins he has, he uses all the transactions he has been involved in to reverse the number.

With this in mind, let’s look at how to send bitcoin from one person to another.

For example, a transaction record: Zhang San sent Li Si 5 bitcoins.

What the sender (Zhang San) has to do is: make hsah for the transaction information and the target address (Li Si’s public key), and then use his private key to digitally sign (that is, encrypt the hash value with Zhang San’s private key), and attach the digital signature to the TX (transaction), and then send it to Li Si through P2P technology.

What does Li Si do after receiving this message: Take Zhang San’s public key published in this transaction to verify the data (public key decryption) and get the hash value X. at the same time, hash the data with his public key and transaction information to get hash (data), and then compare x = hash (data), then we can judge that the transaction came from Zhang San. Because the hash value verified by the public key can only be generated by the private key, and the one verified by Zhang San’s public key must be Zhang San’s private key. The private key will only exist in Zhang San’s place, and denial cannot be denied. Here we use asymmetric encryption, private key digital signature, public key verification data. The public key determines the wallet address, and the private key determines the ownership.

Knowledge point 1: asymmetric encryption

Public key can encrypt or verify data, and private key can decrypt or sign data.
Public key encrypts data and can only be decrypted with private key.
The data can only be encrypted with the public key.
When designing transactions, blockchain uses asymmetric encryption algorithm (SHA-256).

Since it is a payment system, the double spending problem is inevitable.

Knowledge point 2: Double cost problem
If the same amount of money is paid twice, this is the double spending problem.
In the real world, if you forge a piece of gold to trade, it is easy to be falsified, but it is too easy to copy the goods in the virtual world. It seems that there is no problem to launch two transactions with the same money one after another, but there is a double spending problem.

Centralized payment system (Alipay, bank, etc.) is not a problem of double flowers, but a better solution. For example, bank transfer, account a transfers 100 yuan to account B, and the bank will open the transaction, account A-100, account B + 100. This process is similar to that of a mint. The bank will scrap the 100 of account a and then issue a new 100 to account B. As a result of the a account of 100 yuan was invalid, so the problem of double flowers was solved.

So, how does bitcoin solve the double flower problem? As always, most is justice. First of all, all transactions are required to be open to the whole network, so that everyone can trace the origin and development of each transaction, and can not make fraud. Secondly, each transaction has a time stamp, which can determine the order of order and form a time series transaction chain. Third, most of the nodes admit that the transaction is the first time. This leads to the concept of the next chapter: timestamp server.

timestamp server

The timestamp server can prove the existence of some data at certain time by stamping the block with time stamp. Each timestamp has the information of the previous timestamp, so the timestamp also forms a chain, and the latter timestamp is the enhancement of the former. In this way, even if someone wants to tamper with a time stamp, they need to change all the time stamps after it. This process is proved by the workload, which will take a lot of time and computational power, so as to ensure that it can not be tampered with.

Now there is another thought. Bitcoin is not decentralized. How can a timestamp server come out? If there is a server, it will become centralized again. In fact, this server is not that server, or that sentence, most of which is justice. The time is taken from the median time of at least five other nodes, and the difference between the median and local time cannot exceed 70 minutes.

Knowledge point 3: median
A mathematical concept, a proper term in statistics, representing a value in a sample, population, or probability distribution, which divides the set of values into equal upper and lower parts.
The median is the representative value of all units determined by its position in all the marked values, which is not affected by the maximum or minimum value of the distribution sequence, so as to improve the representation of the median on the distribution sequence to a certain extent.

Therefore, the median is less affected by the extreme value than the average, and can represent the middle value of the distribution sequence.

The operation mechanism of time stamp is that all transactions in the interval between two blocks are hashed. After the timestamp is stamped, we get a transaction record generated by time series, which is called blockchain.

proof of work

The workload proves that it is commonly known as “mining”. One is to waste electricity, the other is to waste computing power, and bitcoin is not money from mining. So why do we need to mine?

Imagine that a transaction has been generated and broadcast to the whole network. Now that three people a, B and C have received the transaction information, they can time stamp the transaction, and then package the block to the chain. However, the transaction information received by everyone is different, and the time of receiving is also different, so the generated block hash is very different. Therefore, a consensus mechanism is needed at this time. If consensus is reached in the whole network, competition mechanism needs to be introduced. Just like a long-distance race, whoever hits the line first will be given the right to account (time stamp, package block). So how to create a scene where everyone participates in the long-distance running? The proof of work mechanism will come.

The white paper defines how to prove the workload, that is, using the CPU’s computing power to enumerate the required values, such as a hash value with n zeros at the beginning of a string. This process requires computational effort and time-consuming. Due to the different CPU computing power, a, B, and C have the order. The first person who meets the requirements has the bookkeeping right of the next block, so a consensus has been reached.

At this point, imagine again, if three persons B in a, B and C stand out through the workload proof and get the bookkeeping right, what if he tampers with the transaction record or maliciously constructs the transaction to realize double flower?

Due to the existence of pow mechanism, B gets the bookkeeping right. At the same time, he pays the cost of power and CPU computing power, and tampers with a certain transaction of bitcoin. It needs to modify all the transactions after the modification, which brings more cost. When the cost of evil is far greater than the benefits of tampering with records, it is like spending 100 yuan. In order to earn 1 yuan, will he still choose to do evil?

The proof mechanism of workload simply means that it increases the cost of doing evil and makes the input-output ratio of doing evil lower than that of being an honest node. This is the finishing touch of Nakamoto’s application of game theory.

On the other hand, the difficulty of proving workload changes with time. If the production speed of blocks is too fast, the difficulty will increase. From the initial CPU to the GPU to the ore pool, the mining cost has been increasing, and the difficulty is becoming more and more. More and more people are worried about whether or not the pure CPU pool will be occupied by the general public. Therefore, the problem of whether or not the pure CPU pool will be occupied by more and more people is becoming a prominent problem. Therefore, a new consensus mechanism, such as the share certificate mechanism (POS), emerged to avoid the concentration of computational power.


The first few chapters describe the transaction, time stamp and workload proof of bitcoin system in turn. Here, we will talk about how the bitcoin system network works and how transactions flow and package into blocks and form chains in the network.

The previous steps are actually very easy to understand. Go on with the proof of workload and broadcast to the whole network after being packaged into blocks. It does not mean that the block is effective after accounting is completed, or it needs to be verified by “most people are justice”. If and only if all transactions contained in the block are valid and have not existed before, other nodes will recognize the block The effectiveness of. “All transactions are valid” and “never existed before” refer to the verification of transactions and verification timestamps by nodes in the whole network. Only after the majority of transactions are verified can this block be recognized.

After the whole network accepts the block, the method of acceptance is to create a new block at the end of the block to extend the block. This design is also very clever, the purpose is to promote the generation of a longest chain, and the most honest, the most just, because only the most accepted blockchain will be extended.


We have been talking about the proof of workload all the time, but it is only here that the stimulation point of the proof of workload is really illustrated. Why did the big guy spend all his life on electricity, time and effort to do it? Because there is an incentive mechanism, only by providing an incentive mechanism in a decentralized system can we ensure its long-term operation. This is what the so-called “starting with passion and maintaining with interests”.

There are two kinds of incentives in the bitcoin system. One is “the first transaction of each block is specially processed, and the transaction generates a new electronic currency owned by the creator of the block”, which is used to subsidize the cost of workload proof; the other is transaction fee, “if the output value of a transaction is less than the input value, the difference is the transaction fee, which will be added to the incentive of the block” It is used to subsidize the cost of transaction confirmation.

Reclaim hard disk space

The solution is the storage problem. Since every node in the bitcoin network will synchronize all transaction records, the volume is expanding. The solution proposed in the white paper is to use Merkel hash tree to store the consumed transaction information, and only store the root node of this tree into the block. Merkel hash tree is saved by some IPFs, public nodes and high trust nodes. At the same time, if you want to backtrack transactions, you just need to download all transaction records from the relevant tree.

Simplify payment authentication

This is actually a problem brought about by the recovery of hard disk space. When the nodes in the chain no longer keep complete transaction chain information, they must go through a simplified payment authentication, which is a compromise scheme.

When a storage Merkel hash tree node is attacked or found abnormal, the system will prompt the user to download the data stored in this node to ensure that the transaction data in the whole chain is not tampered with. At the same time, some financial institutions or nodes that are sensitive to all transaction data will keep all transaction records, instead of reclaiming hard disk space.

Combination and segmentation value

This piece of content is a supplement to the transaction. At the same time, it instills an idea that bitcoin is completely different from the real currency. There is no unit conversion, only difference. The combination and division of value can be realized by addition and subtraction.

The most important thing is to make it clear that a transaction (TX) contains multiple inputs and multiple outputs.

Because the bitcoin system does not record the account, only records the transaction information, so the amount of money held by each person is inversely deduced by the transaction. Similarly, when making a transaction, you need to quote one or more transaction records to aggregate your electronic currency, so there are multiple inputs.

Another feature of bitcoin system transaction is that every transaction consumes all the money, which means inputs = outputs. Therefore, one output is the number of transactions in the target wallet, and the other is the change. All the change is returned to the payer.


This is actually a matter of great concern to the public. On the one hand, the bitcoin network is said to be decentralized and transparent. On the other hand, it is said that bitcoin is anonymous and does not trust each other. What is the matter?

In fact, it is very simple. There is no account concept in the bitcoin network. Only the wallet address is obtained from the public key hash. In this link, the wallet is public and the public key is anonymous. The public can see that there is a wallet address that sends a sum of money to another wallet address, but there is no information that can link the wallet address with someone, thus ensuring the privacy of users. It’s just to see that there’s a deal going on, but you don’t know who’s trading.


Bitcoin: a peer to peer electronic cash system
DASENG 2017 (big fish) intensive reading bitcoin white paper series (1-6)
Godsexwhite paper on bitcoin decryption (3) – when you send bitcoin, what are you sending? “
Personal translation and annotation of bitcoin white paper by Jin Xiao
Transaction of bitcoin – digital signature (1)
What is “double payment” and how to solve it? “
Baidu Encyclopedia “median”